Method 1:replace Filter Characters
Workaround: Find the <from below Login.asp to find a similar username=request below. Form ("name")
Pass=request. Form ("Pass")
Modified to: Username=replace (Request. Form ("name"), "'", "" ")
Pass=replace (Request. Form ("Pass"), "'", "" "
The syntax is masking ' and ' characters to achieve the effect.
Method 2: Introduce the safe.asp file within the conn.asp
Note: If the landing page has the introduction of conn.asp file
Save the following code as safe.asp
Program code
<%
Dim Query_badword,form_badword,i,err_message,err_web,name
Err_message = 3
Err_web = "Safe.htm"
' Page turned on error
Query_badword= "' |and|select|update|chr|delete|%20from|;| insert|mid|master.| SET|CHR (37) |= "
' Define get illegal parameters in this section, use ' | ' Number interval
Form_badword= "' | (|)|;| =
' Define post illegal parameters in this section, use ' | ' Number interval
On Error Resume Next
If request. QueryString "Then
Chk_badword=split (Query_badword, "|")
For each query_name in Request.QueryString
For i=0 to UBound (Chk_badword)
If Instr (LCase (Request. QueryString (Query_name)), Chk_badword (i)) 0 Then
Select Case Err_message
Case "1″
Response.Write "Alert (' argument error! The value of parameter ' &name& ' contains an illegal string! Please do not appear in the parameter: and update delete; Insert an illegal character such as Mid master! '); Window.close (); "
Case "2″
Response.Write "location.href=" &Err_Web& "'"
Case "3″
Response.Write "Alert (' argument error! The value of parameter ' &name& ' contains an illegal string! Please do not appear in the parameter: and update delete; Insert an illegal character such as Mid master! '); location.href= ' "&Err_Web&" '; "
End Select
Response.End
End If
NEXT
NEXT
End if
If Request.Form "" Then
Chk_badword=split (Form_badword, "|")
For each name in Request.Form
For i=0 to UBound (Chk_badword)
If Instr (LCase (Request.Form (name)), Chk_badword (i)) 0 Then
Select Case Err_message
Case "1″
Response.Write "Alert (' ERROR! The value of the form "&name&" contains an illegal string! Your illegal operation has been recorded, please stop the illegal act immediately! '); Window.close (); "
Case "2″
Response.Write "location.href=" &Err_Web& "'"
Case "3″
Response.Write "Alert (' ERROR! The value of parameter ' &name& ' contains an illegal string! Thank you for coming! , please stop the illegal act! '); location.href= ' "&Err_Web&" '; "
End Select
Response.End
End If
NEXT
NEXT
End If
%>
Case: http://www.wooyun.org/bugs/wooyun-2010-024354
University station anti-SQL injection Code (ASP version)